[tac_plus] Anyway to format the .acct file or have it log to syslog?
heasley
heas at shrubbery.net
Thu Aug 23 08:51:58 UTC 2018
Wed, Aug 22, 2018 at 01:13:03AM +0000, Matt Almgren:
> Actually after sending that last message and doing some more testing, I see the problem is with rsyslog. I tried to tcpdump on the SIEM server and it’s not seeing the .acct messages, only the normal tacacs log and syslog message entries.
>
> Rsyslog is skipping over the tacacs.acct log entries. It is picking up all the other log entries, EXCEPT for the tac_plus.acct log messages. So now I need to either reformat them into a rsyslog format or find another way to log ship them to our SIEM server for processing.
>
> -- Matt
maybe filtering priority info? or try syslog-ng.
More information about the tac_plus
mailing list